* Puppeteer should preferably use the built-in sandbox (ie. do not set `--no-sandbox`, `-disable-setuid-sandbox` options). If that's not possible, the reasons should be documented. If it's not possible and other sandboxing is possible (e.g. firejail), we should look into that.
* Puppeteer should properly verify SSL certs; the `ignoreHTTPSErrors` probably disables that (if not, a reassuring comment would be good). If that's not possible, the reasons should be documented.
After discussion we decided to:
 Remove the ignoreHTTPSErrors flag
 Document the use of --no-sandbox flag and the firejail sandboxing in the project page or wikitech docs